b'November 13, 2008\n\nGEORGE W. WRIGHT\nVICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS\n\nDEBORAH GIANNONI-JACKSON\nVICE PRESIDENT, EMPLOYEE RESOURCE MANAGEMENT\n\nSUBJECT: Audit Report \xe2\x80\x93 Security Policies and Procedures (Corporate-Wide) at the\n         Information Technology and Accounting Service Centers for Fiscal\n         Year 2008 (Report Number IS-AR-09-002)\n\nThis report presents the results of our audit of corporate-wide security planning and\nprogram management at the U.S. Postal Service\xe2\x80\x99s Information Technology and\nAccounting Service Centers (IT/ASCs) located in xxxxx, xxxxxxxxx; xxx xxxxx,\nxxxxxxxxxx; xxx xxx xxxxxx xxxxxxxx (Project Number 08RD001IS003). The objectives\nwere to determine whether management established a framework and continuing cycle\nof activity for assessing risk, developing and implementing effective security\nprocedures, and monitoring the effectiveness of these procedures. We performed this\nself-initiated review as part of the fiscal year (FY) 2008 information systems audit of\ngeneral controls at IT/ASCs. See Appendix A for additional information about this audit.\n\nConclusion\n\nOverall, management has established information security policies and procedures to\nprotect critical and sensitive information resources. These include, but are not limited\nto, implementing the components of a security management structure and including\nsecurity procedures in hiring and termination practices. However, our review identified\nopportunities to improve compliance with these policies and procedures. Specifically,\nmanagement can improve personnel policy controls by initiating security clearance\nprocessing for all employees occupying sensitive positions. In addition, management\ncould improve their identification of threats and vulnerabilities to computing resources\nby performing periodic application risk assessments.\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                                              IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n\nSecurity Clearances\n\nManagement did not perform security clearance processing for nine of 454 Postal\nService career IT employees in \xe2\x80\x9csensitive\xe2\x80\x9d positions.1 This occurred because Corporate\nPersonnel Management employees were unsure of policies and responsibilities for\ninitiating security clearance processing for positions classified as sensitive. Performing\nsecurity clearances protects sensitive and critical Postal Service resources from\npotential loss and ensures that only reliable and trustworthy individuals access these\nresources. When we brought this issue to management\xe2\x80\x99s attention, they took corrective\naction to initiate the nine security clearances. See Appendix B for our detailed analysis\nof this topic.\n\nWe recommend the Vice President, Human Resources, direct the Manager, Corporate\nPersonnel Management, to:\n\n1. Develop a process to ensure security clearances are initiated for individuals in\n   positions classified as sensitive.\n\n2. Provide reports to the Security Control Officer on a semi-annual basis to track the\n   security clearance status of employees in sensitive positions at the xxxxx,\n   xxxxxxxxx; xxx xxxxx, xxxxxxxxxx; xxx xxx xxxxx, xxxxxxxx Information Technology\n   and Accounting Service Centers.\n\nSystem and Application Reviews\n\nManagement could not provide documentation to verify they had completed a current\nrisk assessment on the six applications2 we reviewed. This occurred because\nemployees did not conduct or document risk assessments or the re-assessments that\nare required every 3 years as defined by Security Risk Management policy.3\nPerforming risk assessments on a timely basis ensures the Postal Service develops\nadequate security measures to protect existing information resources. See Appendix B\nfor our detailed analysis of this topic.\n\n\n\n\n1\n  Handbook AS-805, Information Security, March 2002 (updated with Postal Bulletin revisions through November 23,\n2006), Section 6-4.1, states that sensitive positions, as defined in the Administrative Support Manual (ASM) 27,\nSecurity, include those in which personnel could, in the normal performance of their duties, cause material adverse\neffect to Postal Service information resources. xxx xxxxxxxx xxxxxxxxx xxxxxxxx xxxxxxxxx xxx xxxxxxxxxxx (xxx\nxxxxxxxxxxx xxx xxx xxxxxx xxxxxxxxx).\n2\n  xxx xxxxxxxxxxxx xx xxxxxxxx xxxx xxx xxxxxxxx xxxx xxxxxxxxxx xxxxxx (xxxx); xxxxxxxxxx xxxxxx xxxxxx\n(xxxxxxx); xxxxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxx (xxxx); xxxxxxx xxxxxxxx xxxxxx; xxxxx xxxxxxxx xxxxxxxxxx\nxxxxxx; xxx xxxxxxxxx.\n3\n  Information Technology (IT) Manual, Security Risk Management Policy, Information Resource Risk Management,\ndated March 25, 2008, states that risk assessments must be re-assessed and the risk assessment report updated at\nleast every 3 years following deployment of a resource unless earlier re-assessment is warranted.\n\n\n\n\n                                                         2\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                         IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Corporate Information Security, to:\n\n    3. Perform risk re-assessments on the xxx applications reviewed during this audit.\n\n    4. Establish milestones to review all sensitive and critical applications for current\n       risk assessments and complete the re-assessments on those applications that\n       are not current.\n\nManagement\xe2\x80\x99s Comments\n\nThe Vice President, Employee Resource Management, agreed with recommendation 1\nand stated Corporate Personnel Management would work with the Postal Inspection\nService to ensure that a process is in place to initiate the necessary sensitive security\nclearances by January 15, 2009. Management stated they agree with the intent of\nrecommendation 2 and will work with the Postal Inspection Service to ascertain the best\nprocess for providing information to the Security Control Officer (SCO).\n\nThe Vice President, Information Technology Operations, agreed with\nrecommendations 3 and 4. For recommendation 3, the Corporate Information Security\nOffice (CISO) will work with the appropriate Information Technology Business Systems\nportfolios to complete risk assessments by xxx xx, xxxx, for the six applications\nreviewed during this audit. Concerning recommendation 4, management will establish a\nrisk reassessment schedule by December 31, 2008, and will complete the risk\nreassessments by xxxxxxxx xx, xxxx. See Appendix C for management comments in\ntheir entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations, and their corrective actions should\nresolve the issues identified in the report.\n\n\n\n\n                                                    3\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                    IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Gary C. Rippie, Director,\nInformation Systems, or me at (703) 248-2100.\n\n   E-Signed by Tammy Whitcomb\n VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L Whitcomb\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Ross Philo\n    Harold Stark\n    Joseph J. Gabris\n    Elizabeth Hepner\n    Katherine S. Banks\n\n\n\n\n                                                    4\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                                          IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nA corporate-wide security program is the foundation of an organization\xe2\x80\x99s security control\nstructure and a reflection of senior management\xe2\x80\x99s commitment to addressing security\nrisks. Handbook AS-8054 establishes the Postal Service\xe2\x80\x99s information security policies\nfor appropriately identifying information resources and business requirements and\nprotecting those information resources. The intent of information security policies is to\nensure the creation and implementation of an environment that:\n\n    \xe2\x80\xa2   Protects information resources critical to the Postal Service;\n    \xe2\x80\xa2   Protects information as mandated by federal laws;\n    \xe2\x80\xa2   Protects the personnel information and privacy of employees and customers;\n    \xe2\x80\xa2   Reinforces the reputation of the Postal Service as an institution deserving public\n        trust;\n    \xe2\x80\xa2   Complies with due diligence standards for the protection of information\n        resources; and,\n    \xe2\x80\xa2   Assigns responsibilities to relevant Postal Service officers, executives,\n        managers, employees, contractors, partners, and vendors.\n\nThe Postal Service has delegated the Manager, Corporate Information Security,\nauthority for the development, implementation, and management of the information\nsecurity program.5\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives were to determine whether management established a framework and\ncontinuing cycle of activity for assessing risk, developing and implementing effective\nsecurity procedures, and monitoring the effectiveness of these procedures.\n\nThe scope of our review included corporate-wide security policies and procedures at the\nU.S. Postal Service\xe2\x80\x99s IT/ASCs located in xxxxx, xxxxxxxxx; xxx xxxxx, xxxxxxxxxx; xxx\nxxx xxxxx, xxxxxxxx.\n\n\n\n\n4\n  Handbook AS-805 has been incorporated into the new Information Technology (IT) Manual, Corporate Information\nSecurity, March 25, 2008. xxx xxxxxx xx xxxxxxx xx xxx xxx xx xxxxxxx (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx),\nxxxxx xx xxx xxx xxxxxxx xxxxxxxxxx xxx xx-xxxxxxx xxxxxxxxxxx, xxxxxxxx, xxxxxxxxx, xxx xxxxxxxxx.\n5\n  IT Manual, Corporate Information Security, Roles and Responsibilities, March 25, 2008.\n\n\n\n\n                                                       5\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                                                   IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\nOur review covered the main platforms the Postal Service uses in its computing\nenvironment.6 We judgmentally selected the following six applications to review for FY\n2008.7\n\n    \xe2\x80\xa2    xxxxxxxx xxxx xxxxxxxxxx xxxxxx \xe2\x80\x93 xxxxxxxx xxxxxxxxxxx xxxxxxxxx xx\n         xxxxxxx xxxxxxxxxxxxxx xx xxxxxxx xxxx xxx xx xxxxxxxxxx xxxxxxx xxx\n         xxxxxxxx xxxxxxx xxx xxxxxxxxxxx xxxx.\n    \xe2\x80\xa2    xxxxxxxxxx xxxxxx xxxxxx \xe2\x80\x93 xxxxxx xxxxxx xxxxxxx xxxxxxxxx xx xxxxxxxx\n         xxxxxxxx xxxxx-xxxxxxx xxxx xxxxxx.\n    \xe2\x80\xa2    xxxxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxx \xe2\x80\x93 xxxxxxxx xxx xxxxx xxxxxx xxxxx\n         xx xxxxxxxx xxx xxxxxxxxxxxxx xxxxxxx xxxl\xc2\xae, xxxxxxxxx xxx xxxxxxx xxxxxx\n         xxx xxxxxxx xxxxxxxxxxx xx xxxx xxxxx xx x xxxxx xxxxx.\n    \xe2\x80\xa2    xxxxxxx xxxxxxxx xxxxxx \xe2\x80\x93 xxxxxxxx x xxxxxxxxxx xxxxxxxxxxxxxx xxx\n         xxxxxxxxxx xxx xxxxxxxxx xxxx xx xxx xxxxxxxx xxxxxxxx xxxxxx xx x xxxxxxxx.\n    \xe2\x80\xa2    xxxxx xxxxxxxx xxxxxxxxxx xxxxxx \xe2\x80\x93 xxxxxx xxxxx xxxxx xxxxxxxx xx xxxxxx\n         xxxxxxxx xxxxxxxxxxx xx xxxxxxx xxxx xxxxxxx xxxxxxxx.\n    \xe2\x80\xa2    xxxxxxxxx \xe2\x80\x93 xxxxxxxx xxxxxx xxxxxxx xxxxxxxxxx xxx xxxxxxxxxxxxx\n         xxxxxxxxxx xxxxxxxx xxx xxxxxxxxx xxxx xxxxxxxxxxx xxx xxxxxxxxxx.\n\nTo determine if management performed, documented and updated risk assessments for\nthe selected applications on a regular basis, we reviewed security risk management and\nIT recertification policies and procedures, interviewed key Postal Service personnel, and\nreviewed risk assessment documentation.\n\nTo determine if management documented, approved, and periodically reviewed security\nplans for the selected applications, we interviewed key Postal Service personnel and\nreviewed documentation.\n\nTo determine if management has established a security management structure, we\nreviewed documentation detailing the roles and responsibilities associated with Postal\nService information security. To verify that management clearly assigned information\nsecurity responsibilities, we reviewed the Postal Service\xe2\x80\x99s Information Security Plan,\nwhich identifies the owners and managers of computer resources. To determine if\nowners and users were aware of security policies, we interviewed system owners to\ndetermine what training employees had received and whether they were aware of their\nsecurity-related responsibilities. To determine if management implemented an incident\nresponse capability, we interviewed management officials and reviewed an incident\nhandling activity.\n\nTo determine if hiring policies address security, we reviewed Postal Service policies,\ninterviewed key Postal Service personnel, and reviewed sensitive positions to determine\n\n6\n  xxx xxxxxx xxxxxxxxx xxxxxxxxx xxxxxxxxxxx xxxxxxxxx xxxxxxx xxxxxxxxx, xxxx, xxxxxxx, xxx, xxx xxxxxx.\n7\n  The criteria for selection included a system or application that is financial or directly supports the financial\nstatements; has a nationwide impact; is classified sensitive or critical while in production; was not recently reviewed\nby an OIG or Ernst & Young audit team; and is identified as Sarbanes-Oxley related.\n\n\n\n\n                                                            6\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                    IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\nwhether management had performed security clearances. To determine if termination\npolicies address security, we reviewed Postal Service policies and interviewed key\nPostal Service personnel. To verify that employees have adequate security training, we\nreviewed the Postal Service\xe2\x80\x99s employee training and professional development\nprogram.\n\nWe conducted this performance audit from February through November 2008 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives. We used manual and\nautomated techniques to analyze computer-processed data. Based on the results of\nthese tests and assessments, we generally concluded that the data were sufficient and\nreliable to use in meeting the objectives. We discussed our observations and\nconclusions with management officials during the audit and on October 1, 2008, and\nincluded their comments where appropriate.\n\n\n\n\n                                                    7\n\x0c    Security Policies and Procedures (Corporate-Wide) at the                              IS-AR-09-002\n     Information Technology and Accounting Service Centers\n     for Fiscal Year 2008\n\n    PRIOR AUDIT COVERAGE\n\n                         Report              Final Report\n  Report Title           Number                  Date                       Report Results\nSeparation of          IS-AR-07-017       August 29, 2007      Overall policies, procedures, and internal\nDuties at the                                                  controls were adequate to separate duties\nxxxxx, xxxxxxxxx;                                              for personnel accessing critical information\nxxx xxxxx,                                                     system resources at the data centers.\nxxxxxxxxxx; xxx                                                However, controls to determine which\nxxx xxxxx, xxxxxxx                                             career employees required sensitive\nInformation                                                    security clearances needed strengthening.\nTechnology and                                                 Specifically, management did not always\nAccounting                                                     review and update the classification of\nService Centers                                                sensitive positions for employees at the\n                                                               three IT/ASCs in a timely manner. Also,\n                                                               some ASC career employees had\n                                                               sensitive security clearances, while other\n                                                               ASC employees in similar positions did\n                                                               not. Management agreed with all five\n                                                               recommendations and all remain open\n                                                               because action has not been completed.\nPersonnel Security     IS-AR-04-011       September 8, 2004    Internal controls over hiring and\nControls at the                                                termination procedures for Postal Service\nxxxxx, xxx xxxxx,                                              employees and contractors were generally\nxxx xxx xxxxx                                                  effective. There were no exceptions in the\nInformation                                                    review of initial security clearances and\nTechnology and                                                 updates for contractors; however, security\nAccounting                                                     clearance updates were not obtained for\nService Centers                                                20 Postal Service career employees\n                                                               holding sensitive positions at the xxx xxxxx\n                                                               xxx xxx xxxxx IT/ASCs. Management\n                                                               completed corrective action for the\n                                                               recommendation and this issue is closed.\n\n\n\n\n                                                        8\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                                                 IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n                                 APPENDIX B: DETAILED ANALYSIS\n\nSecurity Clearances\n\nNine of 4548 career employees in IT positions classified as \xe2\x80\x9csensitive\xe2\x80\x9d did not have\nsecurity clearances. In order to determine which IT positions at the xxxxx IT/ASCs\nrequire a security clearance, the SCO refers to the Information System Sensitive\nPosition Register. The register lists all current IT positions and occupation codes for\npositions classified as sensitive. The SCO is responsible for maintaining a security\nclearance database for career and contract employees at the xxxxx, xxxxxxxxx; xxx\nxxxxx, xxxxxxxxxx; xxx xxx xxxxx, xxxxxxxx IT/ASCs.9 The Postal Service uses this\ndatabase to track interim, final, and updated sensitive security clearances10 for current\ncareer employees and contractors in sensitive positions. The Postal Inspection Service\nis responsible for conducting background investigations and granting security\nclearances11 for Postal Service career employees and contractors.12\n\nWe requested current information on the status of security clearances; in providing this\ninformation to us, the SCO compared the current Human Resource staffing report to the\nsecurity clearance database and identified nine employees who did not have security\nclearances. One employee was a new hire and all but two of the remaining eight had\nbeen promoted into sensitive positions since 2005. Corporate Personnel Management,\nwhich handles Executive Administrative Services hires and promotions, assumed the\nCISO office was responsible for the initial security clearance documentation for IT\nsensitive positions.\n\nWhen an employee accepts a career position with the Postal Service, Corporate\nPersonnel Management is responsible for providing the initial security clearance\ndocumentation and instructions. They forward this information to the Postal Inspection\nService, Operations Support Group (ISOSG), Security Investigation Service Center, for\nprocessing. The ISOSG grants the interim clearance within 10 days of receiving the\npaperwork and the final clearance follows the full background review. The ISOSG\nforwards notification of the interim and final security clearances to the SCO, who uses\nthis information to update the security clearance database.\n\n\n8\n   xxx xxxxxxxx xxxxxxxxx xxxxxxxx xxxxxxxxx xxx xxxxxxxxxxx (xxx xxxxxxxxxxx xxx xxx xxxxxx xxxxxxxxx).\n9\n   This requirement was established based on the audit, Personnel Security Controls at the xxxxx, xxx xxxxx, xxx xxx\nxxxxx IT/ASCs (Report No. IS-AR-04-011, dated September 8, 2004). Management expanded the security clearance\ndatabase used by the SCO in xxxxx to include employees assigned to sensitive positions at the xxx xxxxx xxx xxx\nxxxxx IT/ASCs.\n10\n    ASM 13, Section 272.22, July 1999 (updated with Postal Bulletin revisions through September 27, 2007) states that\nsensitive clearances are considered for Postal Service employees who, by virtue of their duties, have access to\nsensitive information restricted to the highest levels of the federal government or OIG files, Postal Inspection Service\nfiles, national security (classified) information, or sensitive information essential to executive decision making.\n11\n    IT Manual, Corporate Information Security, Roles and Responsibilities, page 2, March 25, 2008.\n12\n    ASM 13, Section 272.3, July 1999 states that individuals who provide contract services to the Postal Service\n(including contractors, contractors\xe2\x80\x99 employees, subcontractors, and subcontractors\xe2\x80\x99 employees at any tier) and who\nhave access to occupied Postal Service facilities and/or to Postal Service information and resources (including postal\ncomputer systems) must obtain a clearance as provided in Section 272 before getting access.\n\n\n\n\n                                                           9\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the                                            IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\nSystem and Application Reviews\n\nManagement could not provide documentation to verify they had completed risk\nassessments for the six applications we reviewed. When we requested support to\ndetermine if the risk assessments were performed and documented on a regular basis,\nmanagement stated they could not locate all of the documents but would provide any\ndocumentation available. According to Postal Service policy, a risk assessment is\nrequired for all information resources and will be performed in conjunction with system\ndevelopment. Further, risk assessments must be updated at least every 3 years\nfollowing the deployment of an information resource.13 We requested documentation to\nverify that the re-assessments were current and that management had updated them\nevery 3 years. Management provided documentation for three of the six systems\nreviewed \xe2\x80\x93 xxxx, xxxx xxxxxxxx xxxxxxxx xxxx; xxxxxxx, xxxx xxxxxxxx xxxxxxx xxxx;\nxxx xxxxxxx, xxxx, xxxx xxxxxxxx xxxxxxxx xxxx. Based on our review of those\ndocuments, the required re-assessments had not been performed.\n\nRecertification re-evaluates the protection of existing resources to determine if the risk\nassociated with deployment can be managed throughout the lifecycle of the resource.14\nIt is the responsibility of the CISO to re-assess and re-certify information resources.\n\nPerforming risk assessments helps make certain that management identifies and\nconsiders all threats and vulnerabilities, identifies the greatest risks, and makes\nappropriate decisions regarding which risks to accept and which to mitigate through\nsecurity controls.\n\n\n\n\n13\n   IT Manual, Corporate Information Security, Policy, Processes, and Standards, Security Risk Management Policy,\nMarch 25, 2008.\n14\n   IT Manual, Corporate Information Security, Recertification Process, March 25, 2008.\n\n\n\n\n                                                       10\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the   IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n                       APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                   11\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the   IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n\n\n\n                                                   12\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the   IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n\n\n\n                                                   13\n\x0cSecurity Policies and Procedures (Corporate-Wide) at the   IS-AR-09-002\n Information Technology and Accounting Service Centers\n for Fiscal Year 2008\n\n\n\n\n                                                   14\n\x0c'